ICO warns councils to better prepare for the GDPR

Many councils “have work to do” before the EU’s General Data Protection Regulation (GDPR) is enforced, according to Anulka Clarke, head of good practice at the Information Commissioner’s Office (ICO).

Clarke’s comments came in response to a survey of local councils published by the ICO last week. She said that although “there is a lot of good practice out there”, the overarching conclusion of the ICO’s analysis was that many councils are not currently prepared for the requirements of the GDPR.

Of the councils surveyed:

  • 26% don’t have a data protection officer (DPO)
  • 18% don’t have data protection training for employees processing personal data
  • 34% don’t do privacy impact assessments (PIAs)

Under the GDPR, all public authorities must have a DPO, and under certain circumstances they will be required to perform PIAs – or, to use the GDPR’s term, DPIAs (data protection impact assessments).

Organisations will need to conduct DPIAs for automated data processing activities, when processing personal data that involves a high risk to the rights and freedoms of individuals, and when conducting systematic monitoring of a publicly accessible area on a large scale.

A privacy by design approach

DPIAs are part of a ‘privacy by design’ approach to projects – i.e., a method that promotes privacy and data compliance from the outset. This reduces the habit of privacy measures being “bolted on” to projects as an afterthought, as the ICO claims.

By addressing issues immediately, DPIAs help reduce the associated financial and reputational costs that might otherwise accompany a breach of data protection laws and regulations.

Training and workshops

All UK organisations that process, store or transfer personal data should use DPIAs as default strategic tools. In addition to meeting requirements of the GDPR, they are an essential component of an ISO 27001 risk management-based approach.

Anyone responsible for ensuring their organisation is fully compliant with its data privacy obligations is advised to consider IT Governance’s Data Protection Impact Assessment (DPIA) Workshop, a one-day classroom session designed to provide delegates with the practical knowledge to undertake effective DPIAs.

The course explains how to develop a DPIA, implement the project, monitor the results and take action where required. It also helps create more efficient processes for handling personal data and enables continual process improvement with the regular use of DPIAs.

Find out more about the Data Protection Impact Assessment (DPIA) Workshop >>